lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20211103110322.GP2794@kadam>
Date:   Wed, 3 Nov 2021 14:03:22 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Michael Straube <straube.linux@...il.com>
Cc:     gregkh@...uxfoundation.org, Larry.Finger@...inger.net,
        phil@...lpotter.co.uk, linux-staging@...ts.linux.dev,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: r8188eu: fix a gcc warning

On Tue, Oct 19, 2021 at 12:12:31AM +0200, Michael Straube wrote:
> diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> index 51f46696a593..4f0ae821d193 100644
> --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c
> @@ -1926,7 +1926,7 @@ static int rtw_wx_set_enc_ext(struct net_device *dev,
>  		return -1;
>  	}
>  
> -	strncpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);
> +	strlcpy((char *)param->u.crypt.alg, alg_name, IEEE_CRYPT_ALG_NAME_LEN);

Greg has already taken this, and it's not a big deal, but generally
avoid using strlcpy().  It should be strscpy().  The difference is that
strlcpy() does strlen(alg_name) so it can be a read overflow if the
alg_name is not NUL terminated.

In this case, we know that alg_name is valid so it's fine.

I think that strlcpy() could all be converted to strscpy() without
breaking anything?  So eventually someone will probably use sed or
coccinelle to do that.

Changing strncpy() to strscpy() is more complicated because maybe people
test afterwards to see if the last character is NUL and also because
some need to be converted to strscpy_pad().

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ